U.S. to allow companies to disclose more details on government requests for data

The Justice Department has agreed to relax its long-standing gag order on certain types of data requests made to companies, allowing them for the first time to publicize – in broad terms – how much customer information they must turn over to the government, U.S. officials announced yesterday.

The move amounts to a modest victory for Google, Microsoft and other technology companies that waged a legal battle for the right to disclose more information about their obligations under government surveillance programs, a sensitive issue in the aftermath of disclosures last year by former National Security Agency contractor Edward Snowden.

But both the companies and privacy advocates said the concessions, first hinted at in President Obama’s speech Jan. 17 outlining changes to surveillance programs, stop far short of providing a detailed and reliable portrait of how extensively the government gains access to private customer information for intelligence purposes.

The new policy will allow companies to report on national security letters – a form of administrative subpoena – as well as on requests from the Foreign Intelligence Surveillance Court. However, they will be permitted to disclose the volume of requests only in wide numerical ranges. Previously, companies were prohibited from acknowledging that they received such requests.

“While this aggregate data was properly classified until today, the office of the Director of National Intelligence, in consultation with other departments and agencies, has determined that the public interest in disclosing this information now outweighs the national security concerns that required its classification,” said a Justice Department statement.

The number of national security letters, a frequent tool of the FBI, could be listed as between zero and 999, for example. Companies will also be able to disclose, in similarly broad ranges, how many customer accounts are targeted. Such information can be reported, under the new rules, once every six months.

The same rules will apply to requests from the FISC. Companies will also have the option of lumping the two categories of data requests together in a single total. If they do so, the numeric range can be in smaller bands, such as between “zero and 249,” according to the Justice Department.

U.S. officials have said that more precise reporting might tip targets off to investigations.

The agreement addresses some of the concerns raised by technology companies during negotiations with Justice Department officials in the summer. Talks between the sides began after a series of filings with the FISC that formally requested a loosening of the restrictions on the grounds that they violated the First Amendment.

The five companies that had filed legal action at the FISC – Facebook, Google, LinkedIn, Microsoft and Yahoo – issued a joint statement yesterday saying they were pleased.

“While this is a very positive step,” they said, “we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”

Several technology companies long have publicized certain types of government data requests – mainly from regular courts and police – in “transparency reports,” but they were prohibited from offering a public accounting of national security letters and requests from the FISC.

Privacy advocates said that such broad accounting of requests does little to illuminate the extent of government surveillance activity that can sweep in emails, video chats, address books, web browsing histories and more.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, dismissed company “transparency reports” as unreliable, with the companies focused mainly on trying to reassure customers. He said the government itself should be issuing annual reports on its surveillance activities and eventually notifying targets when companies turn over their information. Those are standard practices in the case of police wiretaps, for example.

“It would be more useful over the long term to systematize the reports,” Rotenberg said. “I don’t think that empowering the companies in their so-called ‘transparency reports’ gets us there.”

The new policy was detailed in a letter from Deputy Attorney General James Cole to the five companies that filed motions to the FISC seeking more transparency about data requests. U.S. officials also made a filing to that court, which must formally approve the agreement.

Several of the companies have urged broader changes to surveillance practices, especially those by the NSA. Technology leaders met with Obama in December to demand more-sweeping changes intended to limit data collection and make sure it always happens under court oversight.

Yesterday’s announcement received mixed reaction on Capitol Hill, with critics saying legislation is needed to curb the reach of government surveillance.

“It’s just common sense that the government should give the American people a good idea of how many of them have had their information collected,” Sen. Al Franken, a Minnesota Democrat, said in a statement. “The Obama Administration still has made no progress on that front.”

Yesterday, Apple became the first company to use the new rules to disclose how many national security letters it had received. The company said it had received fewer than 249 of the subpoenas, affecting fewer than 249 accounts, in the first six months of 2013. Apple filed an amicus brief in November supporting the other technology companies in calling for greater transparency.

“We applaud the Administration for taking this important step toward greater transparency, and we thank the Justice Department for considering Apple’s point of view as it reached this decision,” the company said in a statement.